neshta | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
46s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

neshta xmrig zgrat evasion miner persistence rat spyware upx

Malware Config

Signatures

Detect Neshta payload 25 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000800000002329b-116.dat	family_neshta
behavioral2/files/0x000800000002329b-115.dat	family_neshta
behavioral2/files/0x000800000002329b-112.dat	family_neshta
behavioral2/files/0x00080000000232a4-166.dat	family_neshta
behavioral2/files/0x0004000000009f86-174.dat	family_neshta
behavioral2/memory/1308-198-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5180-264-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00080000000232a4-273.dat	family_neshta
behavioral2/files/0x000400000002017a-307.dat	family_neshta
behavioral2/files/0x000600000002004d-314.dat	family_neshta
behavioral2/files/0x0004000000020140-345.dat	family_neshta
behavioral2/files/0x00010000000200c6-344.dat	family_neshta
behavioral2/files/0x000400000002017f-343.dat	family_neshta
behavioral2/files/0x00010000000200de-342.dat	family_neshta
behavioral2/files/0x000400000002016d-341.dat	family_neshta
behavioral2/files/0x00010000000200cb-340.dat	family_neshta
behavioral2/files/0x000100000002005c-339.dat	family_neshta
behavioral2/files/0x000400000002016c-338.dat	family_neshta
behavioral2/files/0x0006000000020049-337.dat	family_neshta
behavioral2/memory/532-359-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2748-321-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00070000000200b5-312.dat	family_neshta
behavioral2/files/0x00080000000232a4-423.dat	family_neshta
behavioral2/files/0x000800000002006e-454.dat	family_neshta
behavioral2/files/0x0001000000021372-462.dat	family_neshta

Detect ZGRat V1 31 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3980-240-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-241-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-229-0x0000000005A80000-0x0000000005C88000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-243-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-245-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-251-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-253-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-255-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-247-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-257-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-259-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-263-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-267-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-281-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-283-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-269-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-287-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-290-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-293-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-349-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-351-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-353-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-358-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-355-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-364-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-317-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1
behavioral2/files/0x00080000000232b3-376.dat	family_zgrat_v1
behavioral2/files/0x00080000000232b3-390.dat	family_zgrat_v1
behavioral2/files/0x00080000000232b3-402.dat	family_zgrat_v1
behavioral2/memory/952-409-0x00000000004F0000-0x00000000009F4000-memory.dmp	family_zgrat_v1
behavioral2/memory/3980-298-0x0000000005A80000-0x0000000005C83000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

_VTI_CNF.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe RVHOST.exe"	_VTI_CNF.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

nxmr.exewupgrdsv.exe

description	pid	Process	procid_target
PID 1712 created 3360	1712	nxmr.exe	57
PID 1712 created 3360	1712	nxmr.exe	57
PID 1332 created 3360	1332	wupgrdsv.exe	57

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00080000000232aa-271.dat	UPX
behavioral2/files/0x00080000000232aa-278.dat	UPX
behavioral2/files/0x00080000000232aa-285.dat	UPX

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1332-180-0x00007FF729FF0000-0x00007FF72A566000-memory.dmp	xmrig
behavioral2/memory/1332-356-0x00007FF729FF0000-0x00007FF72A566000-memory.dmp	xmrig

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

_VTI_CNF.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	_VTI_CNF.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4363463463464363463463463.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Executes dropped EXE 4 IoCs

Processes:

nxmr.exewupgrdsv.exeadm_atu.exe_VTI_CNF.exe

pid	Process
1712	nxmr.exe
1332	wupgrdsv.exe
4388	adm_atu.exe
4452	_VTI_CNF.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023285-37.dat	upx
behavioral2/files/0x0007000000023285-40.dat	upx
behavioral2/files/0x0007000000023285-39.dat	upx
behavioral2/memory/4388-41-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4388-217-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x00080000000232aa-271.dat	upx
behavioral2/files/0x00080000000232aa-278.dat	upx
behavioral2/files/0x00080000000232aa-285.dat	upx
behavioral2/memory/5480-309-0x00000000004A0000-0x00000000012FE000-memory.dmp	upx
behavioral2/memory/5480-471-0x00000000004A0000-0x00000000012FE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

_VTI_CNF.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\RVHOST.exe"	_VTI_CNF.exe

Drops file in System32 directory 2 IoCs

Processes:

_VTI_CNF.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\RVHOST.exe	_VTI_CNF.exe
File opened for modification	C:\Windows\SysWOW64\RVHOST.exe	_VTI_CNF.exe

Drops file in Windows directory 2 IoCs

Processes:

_VTI_CNF.exe

description	ioc	Process
File created	C:\Windows\RVHOST.exe	_VTI_CNF.exe
File opened for modification	C:\Windows\RVHOST.exe	_VTI_CNF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
3648	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

Processes:

timeout.exetimeout.exe

pid	Process
3684	timeout.exe
5964	timeout.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

nxmr.exepowershell.exewupgrdsv.exepowershell.exe

pid	Process
1712	nxmr.exe
1712	nxmr.exe
3480	powershell.exe
3480	powershell.exe
3480	powershell.exe
1712	nxmr.exe
1712	nxmr.exe
1332	wupgrdsv.exe
1332	wupgrdsv.exe
3504	powershell.exe
3504	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1548	4363463463464363463463463.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeIncreaseQuotaPrivilege	3480	powershell.exe
Token: SeSecurityPrivilege	3480	powershell.exe
Token: SeTakeOwnershipPrivilege	3480	powershell.exe
Token: SeLoadDriverPrivilege	3480	powershell.exe
Token: SeSystemProfilePrivilege	3480	powershell.exe
Token: SeSystemtimePrivilege	3480	powershell.exe
Token: SeProfSingleProcessPrivilege	3480	powershell.exe
Token: SeIncBasePriorityPrivilege	3480	powershell.exe
Token: SeCreatePagefilePrivilege	3480	powershell.exe
Token: SeBackupPrivilege	3480	powershell.exe
Token: SeRestorePrivilege	3480	powershell.exe
Token: SeShutdownPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeSystemEnvironmentPrivilege	3480	powershell.exe
Token: SeRemoteShutdownPrivilege	3480	powershell.exe
Token: SeUndockPrivilege	3480	powershell.exe
Token: SeManageVolumePrivilege	3480	powershell.exe
Token: 33	3480	powershell.exe
Token: 34	3480	powershell.exe
Token: 35	3480	powershell.exe
Token: 36	3480	powershell.exe
Token: SeIncreaseQuotaPrivilege	3480	powershell.exe
Token: SeSecurityPrivilege	3480	powershell.exe
Token: SeTakeOwnershipPrivilege	3480	powershell.exe
Token: SeLoadDriverPrivilege	3480	powershell.exe
Token: SeSystemProfilePrivilege	3480	powershell.exe
Token: SeSystemtimePrivilege	3480	powershell.exe
Token: SeProfSingleProcessPrivilege	3480	powershell.exe
Token: SeIncBasePriorityPrivilege	3480	powershell.exe
Token: SeCreatePagefilePrivilege	3480	powershell.exe
Token: SeBackupPrivilege	3480	powershell.exe
Token: SeRestorePrivilege	3480	powershell.exe
Token: SeShutdownPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeSystemEnvironmentPrivilege	3480	powershell.exe
Token: SeRemoteShutdownPrivilege	3480	powershell.exe
Token: SeUndockPrivilege	3480	powershell.exe
Token: SeManageVolumePrivilege	3480	powershell.exe
Token: 33	3480	powershell.exe
Token: 34	3480	powershell.exe
Token: 35	3480	powershell.exe
Token: 36	3480	powershell.exe
Token: SeIncreaseQuotaPrivilege	3480	powershell.exe
Token: SeSecurityPrivilege	3480	powershell.exe
Token: SeTakeOwnershipPrivilege	3480	powershell.exe
Token: SeLoadDriverPrivilege	3480	powershell.exe
Token: SeSystemProfilePrivilege	3480	powershell.exe
Token: SeSystemtimePrivilege	3480	powershell.exe
Token: SeProfSingleProcessPrivilege	3480	powershell.exe
Token: SeIncBasePriorityPrivilege	3480	powershell.exe
Token: SeCreatePagefilePrivilege	3480	powershell.exe
Token: SeBackupPrivilege	3480	powershell.exe
Token: SeRestorePrivilege	3480	powershell.exe
Token: SeShutdownPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeSystemEnvironmentPrivilege	3480	powershell.exe
Token: SeRemoteShutdownPrivilege	3480	powershell.exe
Token: SeUndockPrivilege	3480	powershell.exe
Token: SeManageVolumePrivilege	3480	powershell.exe
Token: 33	3480	powershell.exe
Token: 34	3480	powershell.exe
Token: 35	3480	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

4363463463464363463463463.exe_VTI_CNF.execmd.exe

description	pid	Process	procid_target
PID 1548 wrote to memory of 1712	1548	4363463463464363463463463.exe	107
PID 1548 wrote to memory of 1712	1548	4363463463464363463463463.exe	107
PID 1548 wrote to memory of 4388	1548	4363463463464363463463463.exe	115
PID 1548 wrote to memory of 4388	1548	4363463463464363463463463.exe	115
PID 1548 wrote to memory of 4388	1548	4363463463464363463463463.exe	115
PID 1548 wrote to memory of 4452	1548	4363463463464363463463463.exe	116
PID 1548 wrote to memory of 4452	1548	4363463463464363463463463.exe	116
PID 1548 wrote to memory of 4452	1548	4363463463464363463463463.exe	116
PID 4452 wrote to memory of 3460	4452	_VTI_CNF.exe	118
PID 4452 wrote to memory of 3460	4452	_VTI_CNF.exe	118
PID 4452 wrote to memory of 3460	4452	_VTI_CNF.exe	118
PID 3460 wrote to memory of 3736	3460	cmd.exe	128
PID 3460 wrote to memory of 3736	3460	cmd.exe	128
PID 3460 wrote to memory of 3736	3460	cmd.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1712
- - C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe"
    3⤵
    - Executes dropped EXE
    PID:4388
- - C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
      4⤵
      PID:532
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
        5⤵
        
        PID:2280
- - C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"
    3⤵
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\is-3IMPQ.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3IMPQ.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp" /SL5="$70204,1495449,832512,C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"
      4⤵
      PID:3100
- - C:\Users\Admin\AppData\Local\Temp\Files\Quasar_Share_20240226101148498.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Quasar_Share_20240226101148498.exe"
    3⤵
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\Quasar_Share_20240226101148498.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\Quasar_Share_20240226101148498.exe"
      4⤵
      PID:4884
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\NICEEY~1.EXE"
    3⤵
    PID:532
  - - C:\Users\Admin\AppData\Local\Temp\Files\NICEEY~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\NICEEY~1.EXE
      4⤵
      PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
        5⤵
        
        PID:2636
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\GREENP~1.EXE"
    3⤵
    PID:1308
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
    3⤵
    PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\Files\native.exe
      C:\Users\Admin\AppData\Local\Temp\Files\native.exe
      4⤵
      PID:3980
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"
    3⤵
    PID:5180
  - - C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
      4⤵
      PID:5244
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe"
    3⤵
    PID:5432
  - - C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe
      C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe
      4⤵
      PID:5480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe
        5⤵
        
        PID:5332
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        6⤵
        
        PID:5952
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
    3⤵
    PID:5660
  - - C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
      C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
      4⤵
      PID:5736
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
    3⤵
    PID:6076
  - - C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
      C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
      4⤵
      PID:952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3CF.tmp.bat""
        5⤵
        
        PID:6060
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:3684
      - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        
        "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        
        PID:5584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1"
        7⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1
        8⤵
        
        PID:5592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5EB0.tmp.bat""
        9⤵
        
        PID:5288
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:5964
        
        C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        
        "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        10⤵
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        12⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        13⤵
        Creates scheduled task(s)
        
        PID:3648
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\PCCLEA~1.EXE"
    3⤵
    PID:5216
  - - C:\Users\Admin\AppData\Local\Temp\Files\PCCLEA~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\PCCLEA~1.EXE
      4⤵
      PID:5572
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"
    3⤵
    PID:5756
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\netTimer.exe"
    3⤵
    PID:5532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  PID:5548

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
33KB

MD5
79fd0807f79ab6d7c27aa0f201b997af

SHA1
ff26755627698839459ff297a5ea663af5ad2919

SHA256
dbf813529d4ca0ecbf2c869e66c0d1d5d2c4f3d645b1b63fc2cd91634c3b2ae3

SHA512
9da9f8625f545f77d10a52ff931c81f3d5f61a04090324f34e42c1807e6b01ef28d44ad7b5b99828f9451cfe4f350c90e4f5ad7b00104eb5c6652971008229ac

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
177KB

MD5
d18ccc2c871a41ddae57b2f3f6dca94a

SHA1
d0266b1fd9c6fb2fd465d4e53baf8cf5eed3b65e

SHA256
398d12277e2b246078be083bcaa1a5d727df27a8877f809fbcc283ee4983961d

SHA512
3df70d798966c3599dddf561f2429ee4904fa0b051310b052bf210f50f36021cff5a23aa6e8d3f66bf21b8a3edff39d2c58aac78a6015868c09556b2222a6404

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
72KB

MD5
c7d737d5f3b6920462dceef1523f366a

SHA1
6f38179e8e06caebb9898721448fa41cc1edbf69

SHA256
fbe16380b0a9eebcb46b483ecf99e8d51ed552ed436c75809435972da8208fa8

SHA512
d0d2525381a655adcdba5f968154d005ee55e28a27da2f3ec87169667c2d92f5b3bc5f7773fd7c50380b99ab9bf651bc9d1164165951236fa4907d0eaa56bbff

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
466KB

MD5
b9c7699b9555686d4dad09b6b326cec3

SHA1
ffb6de7f2464bd63ced5c23aca4562ce4c0c299c

SHA256
232b1e13e275eafb55bb4f617c44eabfeead169e9dd74963e4e921cb1c66aae7

SHA512
b75052a23307b8f8f1eb08cb9333aa11dffe5e9fce5e905219a6d89b1d82f6d79398110d91f98f0e9ee35f9abd24b7f77a409dec8d1be5a1429d3932e7adbf14

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
26KB

MD5
3b8171478d77bdca6b83b41c9ad8b156

SHA1
8875d530ec6529ca37d115a1dd6f555a5f416851

SHA256
2af79181d8043728c0795a5fa3736173d3828de5e3bc281d1bd2f89572b4be47

SHA512
58bae62c6b78f6fba444610fadca48e9117694476a1f24cf4c3c9aaf0b620dcdf0c32196daac8b1f12cc55e5eafb4e68acbfeb4d211ed617ea4d4821bd428594

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
66KB

MD5
495d1de0bca00d5f29dc9d5645f57078

SHA1
b79f855e12a23c2e8ee420593dcccb6a7e5ded5e

SHA256
80d41c86ebca99525d9d5433fb27b11d7083a878f729cc036cad7770d999019f

SHA512
d26f5eaff73b8c6413b3f2d71c4311122f68e37ad75962cef3f02724bcc427ad669465178eec1482a3dd07185f339f730c18defe275217118a5aa22ba7f0bbd0

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
110KB

MD5
c9de7d9792e2503e8e56baf385889b1a

SHA1
44f3dbf9f15955bdaed1e26f34d9e47242efacd2

SHA256
a5e75525338353f765095c28763a9c3d8370a24ca3e7fe473e94b113a9b6d587

SHA512
8c22b7bca0481274eb6300457e87bc68881425678593cf5984214879d01500d320c4510ef3432234e64d66b491d70d783a4b1d449c7ccdfae10e74bb5784bf75

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
226KB

MD5
ce190cb8ad5ac7c02f6c2afd874b3952

SHA1
8b8d2bd7ac1fc1d38bab4249ecc503b7d104ff5a

SHA256
81c0bb21d92cba3647c6f1395be2dfe1b6bf8d26f5493f8f1e6ff76889e59390

SHA512
39eb0c4ebe87c61bcb406b49d07e284e2d3fa649e20807bb231a60b9ace8f29574c80a289d7c347c43ec3cd97467c4a189364cf6be91abe8f1cd96632ef092b7

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
234KB

MD5
16911947c41106a6e94209d06dc3ef6d

SHA1
b413a4a9a9933538cd5567c999981b50705051c3

SHA256
f9f6e3c76191d5490456f18a2175cdfa3b865d5dd1606f8d83c03b1890a29030

SHA512
04c9bcadd5581016a8d02d7fbbdeb7e0aecd433da14c5feb401e9fc3be3a351c15247aa3fc00cfd80bf7cdaf68658bf38add21131e6aa6a7fd7e80cd9bf14afd

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
98KB

MD5
5e9682de8ce810a3335a32ec67852229

SHA1
c7b9a81073855e52079820c6e7ac90b59ed758e2

SHA256
3267158b030449eeab379219903e9e060439de6aae00a3b7af46775dbb078fcd

SHA512
c62f5d37b24670c1874b537e6b7e67590aadf951e06432e1f0c6cce41bbf8e9b92054073fc6e69ace6d480d6e1152d70c2a8ce5f186211beab01f437b431d95e

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
82KB

MD5
b86335da284846c0d5730b2aedbab340

SHA1
56f9e911215602be08d42b298226615eeb7ceef0

SHA256
1d176b6a77d42e98ac6d9cb563b4c9a13a9304ac78d2759bb86f79cf1fd25383

SHA512
81ac381ae060b3ef4814c0b561311b27523d527d9f16e44aa5f83e513145f5b253e4ca06eedecf671746f2557a1249c9bc015aa81768adc8a197a163a2c76be7

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
46KB

MD5
8649b36be2baabe11ffc98a81088076a

SHA1
18bb5837675eedd54fe849997caa999ca48972bf

SHA256
ea15df79adbadb8d6914b39a6f2c80b24dcfd0350af579f339dc4314a0b4f2b8

SHA512
a096a3f5747dffbf94f6fd588d191bd93616b5ed4800fc14847f3fef8c58e30304e73bc8dd562bb22b1706f2702f87eb2d760d97cf6d3bc39488d57c4f4f6328

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

Filesize
61KB

MD5
a63a623b73d980df29212cee60963e3c

SHA1
0d1ea248828872cb18ca71624d96186cf6ae4770

SHA256
ca83560e2679b85ef21699d80ecb4a3c4ab4f0e78c8994963360b2f76d844f0d

SHA512
5f8ea369dab5ff8d26b23e310347e3af513d1a943ddd0e7ac828e8c23fe5b924f3f091e7444163c49a393b32474091efda81e20f72f4a5bb79a612d587204384

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
65KB

MD5
fa1316bd4e0e72ef6eee86bf9d9d23b6

SHA1
1159c0b8db0646a83818b8f26f318509ada07400

SHA256
6c6f5f9058993610ca764d371ec22c25216de0e9ceb0245872b06cca8d4aa4c0

SHA512
66899966092e6e58a8a04a8e52ee69bbe387fb34d661c1b4199e23661c7db8b501ab55a2fbe6bef3923f38dc255898fd7d0cc50efd97ceab6bc2b1fa8945ac94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e6370355138fe6f0ff8789a59af0e1d

SHA1
454eca544a4e2045e202e0d7a1414777e76392cc

SHA256
f86f4ce6ead9e89561cdea866e7f7254694ee69a61a045a51f61fc82dd60a708

SHA512
616e98275ac0fb49a3e85d732c7660a386a4f796e5559d184d9f34d9c5911395cbf7666768332fe9964bf0c861a935867c9de2c84bd3d28e6c10a2cee51cd34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Quasar_Share_20240226101148498.exe

Filesize
116KB

MD5
46a92e6a72dabf65bf1b5263714d9be2

SHA1
60e60e028fc0e936e212a22392fba90c0ea57783

SHA256
e4fa79839209a912183d6793de4eab52c5c77fabe400592e1fdee4228b8450a0

SHA512
6f675bfe1b5267ca449b403c843c1dfa1435c3a903db9886a99cd06f2425e4fa16d41f373015dbf458be09a7dd31c84cc508d21c22cefbcb11fa144775253cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Quasar_Share_20240226101148498.exe

Filesize
271KB

MD5
ed1a7320922cba8d58387e68f95e3dad

SHA1
c6bb6cf89230ae35e2a4c597aacf2f5f281a6ff8

SHA256
bf1db5c52b284c4e650f374a0db210d19ee2f45d79f39bb81a2290d8034362d6

SHA512
531cc198c152bf9b3c07cfd1942fa9956b539866be56e9f6cb6304c7e96abda932891a6f42277901d82daf4b1896a6b7a5764eb90fed1970ef900d867c9a4a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Quasar_Share_20240226101148498.exe

Filesize
192KB

MD5
ca88de6d3c4d1b08a35676e0c5360342

SHA1
ff5f66000bd0923d0641e17bd4be95560f033704

SHA256
46fb75724c3598da0c416dd7e7c3f1c0440db69b0a06f86b33dbfb90ca7621b0

SHA512
1f71e91f0fcc0c9bba7c92b84f022e496dd723c26594e2658a12fb5e0bfcd7271fc4215793603387d4f8ba082066d20275d57bce67d4bb338957ab5e4e471e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE9EEB.tmp

Filesize
127B

MD5
0067c23aaa553ce487b1a032583407f0

SHA1
e256f9f2302b5cc9578c302890b33d5ef62b49b1

SHA256
db6b3cf5c5707daf43b2dd42d5a1fe6ea3c8ffada09f9369873874f2b8a2ccbc

SHA512
a71e06250cf92dd736f6d5ddef42db286a958699e8584fe299bf5f9de1214a7968c41a787d1ad02def0caadb4f657648cf88cd1e1a90ca3883a5a265455f9d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe

Filesize
730KB

MD5
7caf356d5a66f7fd901cb2260298d93f

SHA1
b0f2c13812cf61e3bae11f40450832f4b6610ea1

SHA256
69aeeb79d17e6f97d46fd0bd2f56b9d697c22b5e32eee7eb2cd58aef03a61390

SHA512
5fd9cecf724b5d122d05dbec0a91842fe1d8d6a535aede63c6d77d768871defe99a78c4c446690da519a370de38e5a20ff196fca32b7082c8ebd1c1c0d0e22fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe

Filesize
531KB

MD5
a3b0baafa390e46a5a9cfd0186329ab5

SHA1
0f35569785facc5f8e9eb5a03fb860923448b7db

SHA256
b9cf44b1e31ca022bfc6c223c59c0ce86d6bf301ce625ee2a1b94b5b0776a62a

SHA512
a9541591956b71b5206ae243ab29c2b758648cbea17b424c8172505b163a7812986700c97a9e8a6a68ef3974d152b104942e055ff91b49bbe9922948ab3396e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe

Filesize
455KB

MD5
899a8dbf4d38cb6b58327ba5be763fa4

SHA1
90ac6b725e6c7f34072167726980c58435c9afb0

SHA256
916e457dcbfde8748c8e23d9ae8011cd57cb8af8cb003912d1269412aa3f8854

SHA512
f26dd0c4dd348cdc43a2c572f96d9f0473418eb91d326c6d2c07fc05269380ae9aaca5b105ccf623f68dceac8812d847a48cb82391cf7bc5f71b09b3175ce59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\GREENpackage.exe

Filesize
1KB

MD5
31dc43d6271b9523645f5775e582bd61

SHA1
fd0c013ca56458969da3afb1bf493a5dadbfacd7

SHA256
9ab69529bdde1e8b6dd141c5194afad9cb5efd96091558d6019474329bffc1a9

SHA512
05ec87cb89ab71ad1d4d1c89278281fef84166940d864d0b2b277a506b3acd1b556b531b1c9a3f8139c6223e661bd1a70ec9c23753aef7476eac8e91f47a79c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NICEEY~1.EXE

Filesize
163KB

MD5
892499d3cc60e43c0a3b89a0d7b54add

SHA1
98b4e07ba82cf35d73899d8c1a0888b0b11b932a

SHA256
506940f9c73daa2418c8e340a8969c842ad46ccf7da209e160368f59cb3ee8eb

SHA512
964c91b9b2c405b9cc5217bff9727c659e6a2b41077cc1faa880de069c3cb37bfa7d7c4bc860bc888453a3c13f02017903e19d4a28183d2b7a494de5a7b5498e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe

Filesize
32KB

MD5
b41541e6a56a4b091855938cefc8b0f0

SHA1
8006b2728d05eab4c5d6dc0bb3b115ddc1e2eaa7

SHA256
d4c48762f128436fed18b9c714e55bf7360802127efb233ad31ec4b0f7f649b1

SHA512
a3c2b5dddbb5b8ded63e04672610287458b4bed6ea054e45804e612a2896d92412ef632c621a49b445412d8998a5edc914b055502e22fcfe0e178e5098b64828

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Quasar_Share_20240226101148498.exe

Filesize
704KB

MD5
22bb68267d460d99d81cb1c1b35cc403

SHA1
5b437524b3f10874478aa37639d344d3b0cca144

SHA256
3a3d05fc75441947013f9d285acafb1f7614f9a364384ebe41a937244849beee

SHA512
a72f90719e835965b28a8c2b690d020a9fa85f7758231c000140afff075448132220c530f2414f059f4f9c06675d7fb758d7e5ace5fa1bd1a5385db10977c2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Quasar_Share_20240226101148498.exe

Filesize
471KB

MD5
be25b58ca8335804963096eaaeac3bde

SHA1
8fe9db6d35e59dd5aaad64e3926582be9d3f2cc2

SHA256
435a1e05e641f622e88dc87ac53b1e1e688a6815e051f2b921b322efccbc2fb5

SHA512
894b295781e386ce8dc6fb0614192f337e6c5c86ef30afb6bfb4eedc8837ad20e03b9984a6ac4a70f654a632cf6d1c6576af3a15a4cb19840c5a41ee6a4495f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Quasar_Share_20240226101148498.exe

Filesize
543KB

MD5
bad0cf90a2968ef7231fe49f70d9846f

SHA1
fab8f67f3b9c136cc3ee483eae0da4ab292bc425

SHA256
7887b70981991eac5a4cec5c647d8786beb4ea03217bdbe35976f6e504a4db98

SHA512
5e221a820a9705b75c4d1bb87fe4de969a0df0184eeb8a14a1750a96a56b70c551222ae64bc7d2d7bd5ddc9823cec34af377fe3d04dfc713faad1faada548145

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe

Filesize
6KB

MD5
2cc13a0965fd1376dd234b4ebdd16cee

SHA1
3cc9e3c051e8c63a71411e1f35916b2d0da8f595

SHA256
f80f8f19c298166cd036c9c97deca660f045ea984e642a501d2edecce77b2f04

SHA512
41c4e5d6ec42b56481e33c72238e30cce241e3ab0c2d2b691a1a90b0b6732842876ec78c4a42fe600dc20f7e39bdda1371bc1358c89059fae273ff8dec21b8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe

Filesize
28KB

MD5
e920fcf416bc9b5feef61e65eef1e056

SHA1
86c6d9bc6396ac4d31a316a9de87b172268d7408

SHA256
c1760a7167593333d75f4a0ef310c0c503aaf3c3780ab951c84fe0625d397af3

SHA512
89d8f4a8922d87b2f76f25cf90385d25070169b7b70db40e402be5233e4051f02aae62a9d31363d20e6a1b76b4ff655b95d4baaf4f682e2bd4ac5a851a61fe19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe

Filesize
17KB

MD5
be21e7210eca5696ea2078d9464aea2d

SHA1
999cd96fe2d7e059c14d4edef0731d455a93f8ff

SHA256
0b41581b54956fedab1b42b5374610802a4ff92ac9c612b7adb4485b76deff6d

SHA512
7fec87a3d91810e8d32be4ae8d1ad18139ab6c5c3e5cad51453a440b49f3465b42c9126d118a5cbb372a599d2d1fb6cad4e12635ef54787dd793df773ae1e79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe

Filesize
329KB

MD5
95d4e6bf0700e2eabfa4a1d1eb9b2677

SHA1
3440cbf91d430008aff32bea6546426c9072b54f

SHA256
b757f25c97e7cf0a0d107938208e75b57e3d4d25101196f78e31f72bbff94d46

SHA512
3f8f3d6e76a85a2fd470afc0e01d5c5525dad5df22c3ec97145147a22d102c76f08cf13db56b6167a82a83c7c798171bd092a779f08005cce24b33b54cf34894

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe

Filesize
384KB

MD5
55bd567d77982cd10adb6b9dc324947b

SHA1
04fa9159bbd63d45262e26a0111437989f860408

SHA256
5c7e60fff69a362eb14e6407b5c717158cb28fe7bbec63bee57a0e32fe40c727

SHA512
27bf456fbf6901e2b21dc4ccdb50b2f59c2ce9e3c43b93dc2c92836780e3ad3c4d659a35e2ff056c2b90f84e60d4c0d003f65577edcac9a912fb98606f6c40a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe

Filesize
172KB

MD5
4ce138d0b9a25ba5f3e0cbb392ec8be8

SHA1
a91d0139eff84890d897d5eb6bcf8ddac0b85fc1

SHA256
57ccf7dc5149d6780ea4fbadb388310d72087aaa20752be1a9bd8610fe78df4c

SHA512
609aff26ebb2423e7fcf3f7f5a826c8da1d0a8a96fb09de3541ef2cba0addf6ac9db5756233dbb50f5c6ef8cbd2eb0ad5aa203e8fc2b0a0013b0ce5ae190145f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe

Filesize
833KB

MD5
6a8ae6f95a1e774dc52c4f9c146d2e38

SHA1
c23e49d1f15c1d14eea1eedcfccb346fde26f958

SHA256
993ca55bdb9dc8eb072f3a20a289ad6c7cd334f96a4860ef453bb868ab69de9c

SHA512
69c497fe398f97777863dfbce5ec160a8999e1a425b12c64eaf6556188b8cbe6cf369c5ce67862221c903ac9a85144014d808cdc8b3f788f8bbdfdc441d49fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe

Filesize
988KB

MD5
a1cbba8ffd9ce6d39056d27739ef4939

SHA1
c51041d946c414e2a78e78e9fca4929e10d5f71a

SHA256
6d4847a44366a70f34345ead70bbcaabe1a355ded8b0e94a679e9958c4c6e2bd

SHA512
d75e48c4880526eef425a07ceefbf233522afaeb4ae795e384a3252fedd6cc1197a4a094aaa0d48404b1322ce225a887ef1d97b6d5b2a8c50fddd0c5c1254f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe

Filesize
603KB

MD5
5bc255e44bb9784dc0c14b9c9c8da535

SHA1
e3ce13f991510334313514b733781599231c642b

SHA256
dd0b11142e34ad1aef0f8e686efa06687bc41cb17a2aab9cdfb4133a4a977eaa

SHA512
edf1376dc97e4c759a7f9b19f0f6f22fbb25a13380837468b7d8ed6a577ad7565717f4b14b175e3671728343390850ab3316f71dd0c4a311d28e6a67cb2c30b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe

Filesize
74KB

MD5
36f2be9379978322759860c0815baacc

SHA1
1f4fffbc2716e6ca7cfd3bb395ef56189d88e93e

SHA256
afa7cf5049b0cf81d26e163bf79b2d73c5c61a09ba6e1effe661a9ddf12cbd90

SHA512
f013dfd117b0ede4b3bcd3d020df2a0c77ba7f3b6f14191aef4b0d8180690fe3b6ec7f94d7949b52138c2f9d8bdc037755dc6c03346300a5ea9301101b2c7e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe

Filesize
91KB

MD5
4a32530bd0a7dd8deff883ecff9ecbc4

SHA1
1f19110afd32f2dd9d01a195077af89f83cdfdcc

SHA256
40c6c7489888a5858f6e88d5337d808f45e78fb2f53fb68f5c9cb4578f8a81a5

SHA512
45335d02b971b0bca7e6929f422e1773a7d3e559fdb671cc5ba03607499f1578b2f651ec884202d15ef90a9aa1c40716b385d04497c41a29ecc946f4ef817418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe

Filesize
94KB

MD5
63fffeaa47b6cf6d2a7d53c62e2660b4

SHA1
20690a7fb5be61f477c6832236afb003ab8365b6

SHA256
1218efebfbb37dd555a9aea3bf7876a11becf2807e3f560d57788b2f091aa42a

SHA512
a8a6f3a711ade42d2c61759aedba4bb6c828d33188e988cd01ff485cd0ffb33aaeb1fb4cd109d23f5d6b0779a6f32f1f9e6ed3a0d09d6be9fc46ff49cde1a0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe

Filesize
51KB

MD5
17e18eb1f2ea86ab51cea73628348751

SHA1
faa5f280bbe2cada02abe07b377dcd182a93cdea

SHA256
3cce91cd39b8e11e7ad14214cc0ee7493c1acd30ad1650c0e348649c54a1e15b

SHA512
d01958cd7b370ba5585af41980ab4e57b565ba976b3198593617fc876e80dfa8c08df4089b8f0a31182cd374c82a37f3feed22bf681c8f4ff0f4a77b781f871d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
41KB

MD5
9650130cf5c404dac7735123ea8bb2c0

SHA1
ea63f89dffbc3ccc9b8ad21bcc7b8414017e3ae5

SHA256
1fe850ee4e75d5ed810b8ccc74a2c79e26a4db176d6ac9e09c1913b6c733964d

SHA512
cf33693e938df0436c2fa6233145c3470ad73b11606c14cd05c9c887833654ab1dc9f04fc579e600346dbfc120809bca426dbc66a358bead240d7f83a007ca93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
68KB

MD5
cf5a2da108c781daa9acb5d4ec18d2a5

SHA1
53a6f1d58a4da4683b4ecf5ca7c2493996ce856d

SHA256
d87ff2d86bb44ac24c6365ad2ea374b59965b9e92caa8027a05a505c41bbef68

SHA512
d52edf3d1ff26437d345bc651807790f5b569e1c7533ae1ff0e249ab42b30a3d60d1d4302be1f18dabe695edda4623945a341f332d5c43fb53c5b5461f3b1c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
13KB

MD5
cd0cc3ae4229b25a0d453ebf7c329ff0

SHA1
762561e36e886cf2f11d29883c59aca9ff27a642

SHA256
3aaa39c05a1ca7913181afb0ab4af0be54ab520d96bf286f57c9ee574e056ace

SHA512
7ff1638627f240a5547d9ef986b5768bd00839ef522e8d7e5e026aaa7da6d243d94f96bfe9b95a268fe1806ddc6309fe4c92704839ea4433b879d8b294000790

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\native.exe

Filesize
417KB

MD5
4d86d209bedfc09ddb501f27e1548d6d

SHA1
de4c2d3bd3fb1d8ec16b2f2d00e7444258c5601b

SHA256
3304cb83bf50ee1e3558f2d1e682768dd685d28b3e59ad75b850242f098a8a5c

SHA512
63581fea248a5e5d8215c0ce635895eca23388b57a9d6456c53c72b7b312d276eb942f87b3a3a728488feff0de286805b27b369a8aba693ab76a2fa9e2ceac6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\native.exe

Filesize
91KB

MD5
7af1c5560f6406404bf975f7f04b2881

SHA1
ebc3b07c33e28333516f2807b31dacccbd361667

SHA256
ab45dd2a69095b199434fcae16c9e6b0102b624eded19362f3e020412a5b6ccf

SHA512
fc8de8b161e0fefed2a5c414c5189181e47edd738bb1785db41cf45a94cc5142c8709601e088c6ea1a4ff2d1695e04109d03b099a606eca2e876334e445e2197

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\native.exe

Filesize
102KB

MD5
3b40c38584d889a7eb20f41bf1805152

SHA1
302862b4226fc50b15e8a6c9bfe01881c1cd8176

SHA256
642f16017809fcd0a3ab01221d4c5c07583e8619eee40bc9b738386b8c09caf4

SHA512
d274671bf156dcfbd6eee9786740f585d4dfa62dcd806abfe3ea5665663e448b264f0e7c8945f7614083ebcb20a4b9071228eaf33fe52b9b770de8aaaeb6301f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\netTimer.exe

Filesize
1KB

MD5
8fb30cd3b5b917e2320d105e339dd841

SHA1
873e76a40534cba6d9d2c2d031eba54b58a8eb1e

SHA256
201621e30743037001ea046e6a2320448d5f15641cc69b8879f5ea668aa9425e

SHA512
f9c9d87877f9336796c8c72030b20fced71bb21aa8e45a91bb5fb278ee676fe75c59af985a355450c9fbf5eb7d2ce83e69b32247e0642504a4eea6df217dcf1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe

Filesize
186KB

MD5
5352330d462586bfea94ecb001ecef5e

SHA1
85a16c3d2f7dddc65a9ff7243e61b142fad9b497

SHA256
8a049d96c7cb3586360c4936c28a543f8625ac00870a5887478eef8f2a169549

SHA512
5de8fcf8da17d3da4e5d6693cb7bf9e1bc5a5f39d80380f83575b9e26ea7f5a99ebb5e33f5c2ad37e64daefedef144486ee01620090f10a12dd469a847820679

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe

Filesize
70KB

MD5
031c0bedbe80987f4c47c0abce8c6d9a

SHA1
2938e93d3b577281ecea024e7a931663e2040353

SHA256
2e5ac3a2aeb58de3468f37f162833691f8eeb7c965c8e056f649b3839880cf48

SHA512
5ae51e9e4b647f0eb963411cb569e60c966002e2df0e5e74bcd5806aaa925ab74869eef5db43f71c7d43bc68e009ea011a1acbebdf637f6bdc9d7a16403204e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
64KB

MD5
d6a0c442853432909083dd5a92045ad3

SHA1
205cc238fddbac64d40f03093f931826f5312833

SHA256
b287e18be774bf69969c673678f30a37e2aedc4712166891d606245bfd8b94b5

SHA512
fe8c83bf20b1eb867167292e5fdd4c2be062105547f3c18bfff44c368c6dcbc290739c0a83bd51b7ec57ba2c787864ea0f2c59a9e2caad74daa67d8e438f39c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
790KB

MD5
457ab4e75bb62748e0de93d81f24e091

SHA1
7a196ba921287b44769129c5eb29cd8456c3cc23

SHA256
f4cc554b1dfc9d60cc9f58ed65d65602f99de80e13492c7d762ae4997145bf29

SHA512
cce3dbaebe3132646b59a98acd4e13263a49b82225760ffd0ee94fe4c33c419de867286362ee372a361bc93ef3b8154198699bdef0f4fbfd3a46a7b415524eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
4.2MB

MD5
5e3b69a9872bf90622c5c466f14845b9

SHA1
5383bcdaf9e3a3531fdceeaedcb3296f002456ca

SHA256
0441ffd6875fbddfca86cf6e7e27eb1a0b51a63e77641814b38d65838691bfe1

SHA512
321138b383e694606331ad0df2e493ab73887832dbab64b1c923882d477cf563e8f7191daa128b9233122e024d86aafec77897a10894378e19a8bef5a52cb91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe

Filesize
134KB

MD5
766706b0452d439b8e1f8e56b10406fa

SHA1
ee137bcdaef3fcba7770ab0b38e30537debc8fe5

SHA256
eab857e14234205a716e1a70537cc54b4916bae38d5872230c6c0abce4e1b8df

SHA512
7e6cfde9601869dddcdbcc97657a06c28fe8275b899746eee6b8858eb75bffaee9feb3f191936fe7aeb405bf4afc5437d7658ff39528cb5b15e3130a60821dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe

Filesize
51KB

MD5
70ea5dcc48050106d53dc725eb34c858

SHA1
2115413890b23a3beffca441a6871a433aaa83c3

SHA256
0cb6c649a9cb212b0e25528afece64e0e130d8c1b4a45cd677874472161793fc

SHA512
52142543759c5b9aeeeb4b99bdf71c82e7c937343697cc1e56b30c31de945cf765faef3c1074be2f59c691a7c0c30fff15a62dbfeb19dd20b9988f31a66cd703

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4ggmlgy.hvs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3IMPQ.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp

Filesize
338KB

MD5
75d2c506c0f6d6c95b8c8aaad4dbd9ed

SHA1
c21ba621badda3ff8c6fa65eb23cd3d6e063ebbb

SHA256
fd1bb67c30169fe2afccc223be39ab0c838fc9ab5104ca49db2edcf70a970ac0

SHA512
13b42dfe13dace954c2bcb9997f7b28429255bde9429b57f01820a49bb4dd6af3c560475b73c49fd576a0567facdb5a77ffe2b8506ef5034f8adddffd7a708e4

Download Submit
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe

Filesize
1.7MB

MD5
c0c0bde664c84188c8da8a7c213a1ef5

SHA1
ec1e49955b18fb0b3499013c77531479fcc8d4d5

SHA256
9e5110215376f3e0650fb6ee256e15b6c738ed3d8d999fabb4dd93b9f7b7aee3

SHA512
2eabf9f7b0b1a32c16232f48cfe0f730429b7b80934441bf050cb16aadbde2522a33989e68dee3876b888725278b3c8994fc1efe629cb4935fac1d6954f89388

Download Submit
C:\Windows\SysWOW64\setting.ini

Filesize
142KB

MD5
1d736e6aac0af153f55a96a5f7c6252f

SHA1
8e76aa9412db456c11d4a5bba5b38ba9c0278c5e

SHA256
30787bcec8b1eb81824d3aa11876e9dc176d1f5f145cb4a1e2846b6c465f0ea3

SHA512
a7a80c18e459c013f28b419621ba1e4bd0aa1b5962022e7cc5618fb188e3b236f102ba42957f055ecb76073b8c3e6ef896af93efd2de8d662a92f551631d3669

Download Submit
C:\Windows\directx.sys

Filesize
90B

MD5
59c9e2a41f560931ec584bc78d3f2d8d

SHA1
ad2a1b1c986e14a642a2e5660fe3be6948a24e52

SHA256
e929029d1f12e4fe30a18f1378d98140d3e2a72913d62daf70d4579b76c58ee6

SHA512
b9e555ef225ddbf5be4fafb9bb31e9b8c8219565afa25ca7ee12f76c006f2be8f959d7bc8ed043d0224d7c2c4cb2fe2877263d924fc9a96340ca00219b59d80d

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
b7cd4aab463fc8ff2594aa94258a7e86

SHA1
eb006380bb5a9b23b9135b9ff27cd748c35893ba

SHA256
cac653bf0482f15a0918200a46fe25c41cae68d798316d8dc9dce16f5e9d3cab

SHA512
3a732fe58842fd2504c117cb91ade2fe58adf20553ae9faa227cc63ea63eb6018b3574c8b6f7f1387e00cd1aed7fac90b7f9802415480da2610ee95f849832ee

Download Submit
C:\Windows\directx.sys

Filesize
52B

MD5
57a59a9a5f38bd43afab1cd744363272

SHA1
c3facc0c86a6ac45a37c9380dbb8d98566ec21c0

SHA256
0ae49ccd9885ffeeb64bc28864031723887e700ae8c347dd4dd5bc09c39d840f

SHA512
0075a2caaef866307587e5f3fe2a62d4fcc4e473b24870022b5b755d7ddc36b0c25c19f534811fb4facbe33b6a42452e62ab1781b6570b1d9fbc93cdc8ab804c

Download Submit
C:\Windows\directx.sys

Filesize
52B

MD5
aa9953e8bc92329018dbec54788ac717

SHA1
c42a85db4025801fe5af20caab9234d235e2520c

SHA256
34578269e5e1e399c3be1fbac8dc3d098b72d707d722470d990e72e9707cfb24

SHA512
ac8a85aa1b82b201b78dac3904cd5cb5ee2c08242cf294f72378cf02e9c4fa54471c7027b1b31471fc6d61963c959cd416fd4082e1211de0f17fa9483473a2eb

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
6e8578f1199b9d78879e4689c08781d5

SHA1
8057447f2c94db7391643d70b930ef7bf9e3d3b9

SHA256
8e7bab209fe13685e7f78639a239da3abea86ebd78fcbb9d4e6ecad7267833eb

SHA512
8e604c9ee53b427bfcf7837d6006495c736744dd0bc773f7764b8ad723bd51fbf103b259a42a7227b18c833ad4be91443c53eaa52351931f92a524d05d0f11ca

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
a2136aac49064f03f353954e6153abdc

SHA1
f8dd33b0db917a355371715e3aa1845e1ef8e94a

SHA256
3705986a7654164f3c96ca90721b8bcf4264f1b9c2ad6d49972b7d9a037f40de

SHA512
994c9763baf65060be68647ba5c3034da22d6833dd1e7530efec91e750342479553173b034b61c90ce95cfb53e9434e5e2731242f8e804feaf93195ca0d4d4d9

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
c3c9ca310cb8084e0eb071d5363f3ea6

SHA1
dc0e2e58fc5f986a4404153aafadafea08d5517e

SHA256
7e7a138a8d9047bc1b86697f6d0be329d59009f480452b09548016fe581e6c4b

SHA512
57726bbd1328ace0f9159825b8f2b2b2c2c87f69105922cf4bfcc7137df9d5f69442771bd592efb18f8c92f9ab3ac7dfa374295eff605357ac5442659c0f74a3

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
ce7502498cf652bc078553c819b22b9b

SHA1
0c004b20996daf4790dbadbc0e6f8488d31b5bdb

SHA256
4cbf52e286610c3bf603e60ec54cde53ba83b49daa3b597fc1e792a8c027607b

SHA512
6fa9dbc77d077f3bafcfbdcf6a88a0671110ec79444ce55c0a080172c13d4c58cbb3fcac460b462fea596c6fa3c18c08f6c85145cc01047f1d84ab7cecea3f50

Download Submit
C:\Windows\directx.sys

Filesize
52B

MD5
63b3ddbeaacc897802953caca9c20d0d

SHA1
8ee2f93f1ae79c29957d639d1cb21f7590119486

SHA256
9a96e9088ab4c65f563ef0edf0220c971252bcad6c3e2e42193f1f2158f3f656

SHA512
da2b661dc8f386f62259ed1043da7bea209398313878cbd5afd307be4aff70cadcbe8c04366221c41d4e495631b7ee8a912e37867f3580b10e248ebaa4094c9f

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
82cb80d2892f9ddadaf34c9f4ff66e49

SHA1
bb70171f23c9246e1052e767125b6c1ac95dbd5d

SHA256
03cc5a2460a04180db2609a386c12da88d20e12a653b9b8a58925a8347af20d0

SHA512
a74721422b36d58b64f89db154d69164a38c9424601597354aaaa99d9e7dbbafcc23251ee0b41cc1a6e1209cf483ac5ecea873a749caa181c93d559916b08f70

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
30KB

MD5
08fb2f5995a3730396de21786ae40df8

SHA1
c5b484b738a42b7676c78c65581273a530975e4f

SHA256
58456c22d1695c640a848588246584737dd047a91449ae159a6c8e7e7ed39584

SHA512
33a7a9c7591eebde8efb0f118e639da6e6518cefc3b51832bc636970bfb5b2ccf7c86ff17f9910cef3d8d1ef02b1054ca410fa1c2ae269b17ee9538b70ca427a

Download Submit
C:\Windows\svchost.com

Filesize
9KB

MD5
9aaeb24ebc69965283713e5af1b5d1bd

SHA1
e0c51a7a68538b99a3217068c3f08e4ea5667483

SHA256
b1e73dc16923f4d2a104cb1954ce111b4d456bee0f90635574c35359c3cc499b

SHA512
2a8339784f2e126eff945c82dbc9e3e3d49599ca46340d72d997841af47cf194fdfc958761e343ca1a44343e8707f1bbd5c7c42786bb8d456c4bee7764c03cab

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
153KB

MD5
2fb683996d4cf129212e851eb0c95d45

SHA1
8796ceb68ea0337ecbffe5de9466587d88ab84ed

SHA256
caa864d49bc914d20b31fda29efc805479c3c120502182ad02034513b88beb70

SHA512
bfce887daedb05b17a93fd687495771f34c5eb2405c4e3dd0210d69e9af522517eaa2851793518285756a6225f8905a00e6c9e3a406dedc7daa6730faef126fe

Download Submit
memory/532-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/876-98-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/876-286-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/952-409-0x00000000004F0000-0x00000000009F4000-memory.dmp

Filesize
5.0MB

Download
memory/952-437-0x00007FFAE6FD0000-0x00007FFAE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/952-539-0x00007FFAE6FD0000-0x00007FFAE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/952-497-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/1308-198-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1332-356-0x00007FF729FF0000-0x00007FF72A566000-memory.dmp

Filesize
5.5MB

Download
memory/1332-180-0x00007FF729FF0000-0x00007FF72A566000-memory.dmp

Filesize
5.5MB

Download
memory/1548-12-0x0000000005B70000-0x0000000005B80000-memory.dmp

Filesize
64KB

Download
memory/1548-1-0x0000000000F20000-0x0000000000F28000-memory.dmp

Filesize
32KB

Download
memory/1548-11-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1548-2-0x00000000058F0000-0x000000000598C000-memory.dmp

Filesize
624KB

Download
memory/1548-3-0x0000000005B70000-0x0000000005B80000-memory.dmp

Filesize
64KB

Download
memory/1548-0-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1712-31-0x00007FF66AA00000-0x00007FF66AF76000-memory.dmp

Filesize
5.5MB

Download
memory/2616-1596-0x00007FFAE70F0000-0x00007FFAE7BB1000-memory.dmp

Filesize
10.8MB

Download
memory/2616-1620-0x000000001CBF0000-0x000000001CC00000-memory.dmp

Filesize
64KB

Download
memory/2616-1623-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2636-199-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2636-197-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2636-182-0x00000000006F0000-0x0000000000704000-memory.dmp

Filesize
80KB

Download
memory/2636-546-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2636-562-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2748-321-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3100-288-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3100-363-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3100-104-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3480-24-0x000001B3CA730000-0x000001B3CA740000-memory.dmp

Filesize
64KB

Download
memory/3480-28-0x00007FFAE75A0000-0x00007FFAE8061000-memory.dmp

Filesize
10.8MB

Download
memory/3480-25-0x000001B3CA730000-0x000001B3CA740000-memory.dmp

Filesize
64KB

Download
memory/3480-23-0x00007FFAE75A0000-0x00007FFAE8061000-memory.dmp

Filesize
10.8MB

Download
memory/3480-13-0x000001B3E45B0000-0x000001B3E45D2000-memory.dmp

Filesize
136KB

Download
memory/3504-75-0x0000021C52260000-0x0000021C52270000-memory.dmp

Filesize
64KB

Download
memory/3504-76-0x0000021C52260000-0x0000021C52270000-memory.dmp

Filesize
64KB

Download
memory/3504-109-0x0000021C52260000-0x0000021C52270000-memory.dmp

Filesize
64KB

Download
memory/3504-97-0x0000021C52260000-0x0000021C52270000-memory.dmp

Filesize
64KB

Download
memory/3504-117-0x00007FFAE6FD0000-0x00007FFAE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/3504-74-0x00007FFAE6FD0000-0x00007FFAE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/3980-245-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-253-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-218-0x0000000000F40000-0x0000000001168000-memory.dmp

Filesize
2.2MB

Download
memory/3980-222-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/3980-240-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-259-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-353-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-358-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-355-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-241-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-364-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-351-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-349-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-263-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-317-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-267-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-909-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/3980-229-0x0000000005A80000-0x0000000005C88000-memory.dmp

Filesize
2.0MB

Download
memory/3980-243-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-257-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-293-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-247-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-298-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-255-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-281-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-283-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-290-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-251-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-287-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/3980-269-0x0000000005A80000-0x0000000005C83000-memory.dmp

Filesize
2.0MB

Download
memory/4388-217-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4388-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4452-68-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5180-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5244-239-0x00007FFAE6FD0000-0x00007FFAE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/5244-248-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/5244-791-0x00007FFAE6FD0000-0x00007FFAE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/5244-238-0x0000000000FA0000-0x0000000000FC2000-memory.dmp

Filesize
136KB

Download
memory/5244-249-0x0000000001770000-0x0000000001771000-memory.dmp

Filesize
4KB

Download
memory/5244-334-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/5480-309-0x00000000004A0000-0x00000000012FE000-memory.dmp

Filesize
14.4MB

Download
memory/5480-471-0x00000000004A0000-0x00000000012FE000-memory.dmp

Filesize
14.4MB

Download
memory/5548-297-0x000002C212550000-0x000002C212570000-memory.dmp

Filesize
128KB

Download
memory/5548-572-0x000002C213F70000-0x000002C213F90000-memory.dmp

Filesize
128KB

Download
memory/5592-921-0x00007FFAE6FD0000-0x00007FFAE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/5736-370-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/5736-1934-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download